neconyd | fe1492f7ae529ad2ae64c039a0a1c31c3d63c2f76127297dcfba8c6be90bdf42

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 23:49

Target

5baf31f32673170f0cd572f1163ddce0_NeikiAnalytics.exe
Size

88KB
MD5

5baf31f32673170f0cd572f1163ddce0
SHA1

547a2a3bbd0e8c46f08975f7a4327a193bddb3b4
SHA256

fe1492f7ae529ad2ae64c039a0a1c31c3d63c2f76127297dcfba8c6be90bdf42
SHA512

e5835e3b3f069f83f83e0624a3ac8cd2224a5f981ab01bc30a55cebb6fdbb9be606a81367310c4d6fc271ce94a76abef76b173c03bffd601ed92316d96372f87
SSDEEP

768:jMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:jbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4048	4988	5baf31f32673170f0cd572f1163ddce0_NeikiAnalytics.exe	84
PID 4988 wrote to memory of 4048	4988	5baf31f32673170f0cd572f1163ddce0_NeikiAnalytics.exe	84
PID 4988 wrote to memory of 4048	4988	5baf31f32673170f0cd572f1163ddce0_NeikiAnalytics.exe	84
PID 4048 wrote to memory of 1212	4048	omsecor.exe	103
PID 4048 wrote to memory of 1212	4048	omsecor.exe	103
PID 4048 wrote to memory of 1212	4048	omsecor.exe	103
PID 1212 wrote to memory of 1856	1212	omsecor.exe	104
PID 1212 wrote to memory of 1856	1212	omsecor.exe	104
PID 1212 wrote to memory of 1856	1212	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\5baf31f32673170f0cd572f1163ddce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5baf31f32673170f0cd572f1163ddce0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1856

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
a49c428316dd423a8e33784955abfcf8

SHA1
a5e34dabeefeb8b53146ab98f5a8621901cbffa2

SHA256
6a32c838314717c312b561b3f128c97506d450d5a2a10830b2fa47f93c895ae1

SHA512
76e3e40c7a7579b73f408d0663a76d2ad0cdbf8ffc38395f6f454a4730680c75d626b9440752d0a03c82125ceba0458823462faf8f8be00e37c3dc5c79b9cfce

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
90df59328de4dbb6c8e90c80ce5bf639

SHA1
5e57e7d2f54eff0846de43fd178c76f5e4ad74b4

SHA256
a93344c14101598bd70225633fd4128d4682ed7ce588114d6cb0faa053cf2edb

SHA512
205ef728be808f283f1fbd5a5684285ce5c21b7b54449f18ded918a4ac828f855d60fea677bf62a6ba3c88cc20b769416914572eac3fe539f9070cbc8d8a3e6a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
45dbc72c6eb5d916137fdcfce091d4b8

SHA1
ea1bff298b9c5755a947c3085a07795a928465b2

SHA256
cf86f1a51abc7e3e11e4bbc247327b31341f8950b70d1eaa8d2c59422ecb47a1

SHA512
95fd4668446dfc4bd89d130991e238ed0c86548a824b348cc0a7aa7cf638af38e33ab4b4729ea035ca6de006f189cccd6e41194271ff2190097643c7d47cd8cb

Download Submit